description of the problem:
I have a site which distribute the configurations
https://cliconf.aa.bb.cc/cgi-bin/get-config.cgi
it returns config json and some HTTP headers for cors:
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
access-control-allow-origin: *
access-control-allow-headers: *
I have the app site
https://web.aa.bb.cc/
this two sites a one same domain zone, but app doesn't read config and return error "strict-origin-when-cross-origin"
the curl call
curl -v -H "Origin: https://web.aa.bb.cc/" --url "https://cliconf.aa.bb.cc/cgi-bin/get-config.cgi"
is return 200
* Trying x.x.x.x...
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/xxxxxx.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.x.x.x.x
* start date: Jun 15 00:00:00 2022 GMT
* expire date: Jul 14 23:59:59 2023 GMT
* subjectAltName: host "x.x.x.x" matched cert's "*.x.x.x.x"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5573120e5e80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /cgi-bin/config?environment=aws_dev HTTP/2
> Host: x.x.x.x:443
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< date: Thu, 12 Jan 2023 14:55:55 GMT
< content-type: application/json
< server: nginx/1.18.0 (Ubuntu)
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
< access-control-allow-headers: *
< access-control-allow-origin: *
< access-control-max-age: 3600
< access-control-expose-headers: Content-Length
<
{"logcollector": "https://x.x.x.x/gelf", "linkFrontend": "https://x.x.x.x", x.x.x.x, "name": "dev", "linkAdminApi": "https://x.x.x.x", "maintenance": false, "manifest_id": "x.x.x.x", "url_appsite": "https://x.x.x.x", "linkSupport": "https://x.x.x.x", "websocketPathFrontend": "wss://x.x.x.x/wsapi" }
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host x.x.x.x left intact
I found on article https://developer.chrome.com/blog/referrer-policy-new-chrome-default/
but it's still not clear to me which headers and / or on which side I have to create in order for it to work
all web servers are nginx
conf file of nginx from cliconf.aa.bb.cc
server {
listen *:80;
add_header Access-Control-Allow-Headers *;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Max-Age 3600;
add_header Access-Control-Expose-Headers Content-Length;
location / {
try_files $uri $uri/ =404;
}
include fcgiwrap.conf;
access_log /var/log/nginx/cliconf.aa.bb.cc-access.log;
error_log /var/log/nginx/cliconf.aa.bb.cc-error.log;
}
I include at main index.html
<meta name="referrer" content="unsafe-url" />
but it still not working.
Related
I'm testing proxying an HTTPS request from a server running Nginx (which I will call client-side) to another (server-side) that will proxy the request to a local Alertmanager. The server-side is TLS with a self-signed certificate. When I set proxy_ssl_verify to on on the client-side with the self-signed certificate in proxy_ssl_trusted_certificate, the client-side Nginx returns 503 Unavailable without logging any error.
Any help understanding why the client-side Nginx closes the connection silently and returns 503 would be much appreciated!
**Server-side Nginx config **
nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/sites-enabled/*.conf;
}
alertmanager.conf:
upstream alertmanager {
server 127.0.0.1:9193;
}
server {
listen 127.0.0.1:9093 ssl;
listen 192.168.128.2:9093 ssl;
server_name 172.29.49.202;
include /etc/nginx/conf.d/common.conf;
include /etc/nginx/conf.d/ssl.conf;
ssl_certificate /etc/ssl/private/alertmanager-cert.pem;
ssl_certificate_key /etc/ssl/private/alertmanager-key.pem;
location / {
proxy_pass http://alertmanager;
include /etc/nginx/conf.d/common_location.conf;
auth_basic alertmanager;
auth_basic_user_file /etc/nginx/conf.d/alertmanager/.htpasswd;
add_header 'Access-Control-Allow-Headers' 'Accept, Authorization, Content-Type, Origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header X-XSS-Protection "1; mode=block";
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Headers' 'Accept, Authorization, Content-Type, Origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header X-XSS-Protection "1; mode=block";
return 200;
}
}
}
ssl.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
Nginx version on the server-side is 1.21.6.
Client-side Nginx config
nginx.conf:
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
worker_rlimit_nofile 99999;
events {
worker_connections 32768;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
limit_req_zone $server_name zone=one:10m rate=1800r/s;
keepalive_timeout 86400s;
keepalive_requests 150000;
client_header_timeout 86400s;
client_max_body_size 50M;
include /etc/nginx/conf.d/*.conf;
}
default.conf:
upstream alertmanager {
server 172.29.49.202:9093;
}
server {
listen 8080 ssl;
listen [::]:8080 ssl;
server_name management;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location /alertmanager/ {
limit_rate 1024k;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass_header Server;
add_header X-XSS-Protection "1; mode=block";
# Allow backend with keepalive connections
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization "Basic <redacted>";
proxy_pass https://alertmanager/;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/rbbn/ids/nginx/appsvc/alertmanager-cert.pem;
proxy_next_upstream error timeout http_500;
}
}
Note that alertmanager-cert.pem on both servers are the same self-signed cert. The nginx version is 1.22.1.
Validating connection with the certificate
I can see that validating the upstream connection with the self-signed cert works fine.
# curl -v -H "Authorization: Basic <redacted>" https://172.29.49.202:9093 --cacert alertmanager-cert.pem
* Rebuilt URL to: https://172.29.49.202:9093/
* Trying 172.29.49.202...
* TCP_NODELAY set
* Connected to 172.29.49.202 (172.29.49.202) port 9093 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/rbbn/ids/nginx/appsvc/alertmanager-cert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=blabla
* start date: Jan 11 23:46:27 2023 GMT
* expire date: Jan 11 23:46:27 2024 GMT
* subjectAltName: host "172.29.49.202" matched cert's IP address!
* issuer: CN=blabla
* SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: 172.29.49.202:9093
> User-Agent: curl/7.61.1
> Accept: */*
> Authorization: Basic <redacted>
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
...
Running the command through Nginx with proxy_ssl_verify
When trying to do it through Nginx, I get a 503 response though.
# curl -v -k https://127.0.0.1:8080/alertmanager/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: ...
* start date: Jan 11 01:52:36 2023 GMT
* expire date: Dec 18 01:52:36 2122 GMT
* issuer: ...
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /alertmanager/ HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 503 Service Temporarily Unavailable
< Server: nginx/1.22.1
< Date: Thu, 12 Jan 2023 19:18:50 GMT
< Content-Type: application/json
< Content-Length: 32
< Connection: keep-alive
< ETag: "63bf5851-20"
< Retry-After: 1
<
{"error":"Service Unavailable"}
I tried capturing traffic on the server-side and I see that the TLS handshake gets done, but then the client-side Nginx closes the connection.
TLS handshake
I see this error in the client-side Nginx's logs, but nothing on the server-side.
[info] 17#17: *272 client closed connection while waiting for request, client: 172.29.49.112, server: 192.168.128.2:9093
Testing without proxy_ssl_verify
When proxy_ssl_verify is disabled, the connection succeeds.
# curl -v -k https://127.0.0.1:8080/alertmanager/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: ...
* start date: Jan 11 01:52:36 2023 GMT
* expire date: Dec 18 01:52:36 2122 GMT
* issuer: ...
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /alertmanager/ HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Date: Thu, 12 Jan 2023 19:33:21 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 1381
< Connection: keep-alive
< Server: nginx/1.21.6
< Accept-Ranges: bytes
< Cache-Control: no-cache, no-store, must-revalidate
< Expires: 0
< Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
< Pragma: no-cache
< Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Origin
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Credentials: true
< X-XSS-Protection: 1; mode=block
< X-XSS-Protection: 1; mode=block
The airflow created by official helm chart is not redirect https. It is running behind LoadBalancer with ingress control service.
Here is my ingress controller
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/scheme: internet-facing
ingress.kubernetes.io/healthcheck-protocol: HTTP
ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
name: airflow-webser
namespace: airflow
spec:
# secretName: tls-secret
rules:
- host: airflow.example.com
http:
paths:
- path: /
backend:
serviceName: airflow-webserver
servicePort: airflow-ui
Here is my airflow service which i get by kubectl -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"meta.helm.sh/release-name":"airflow","meta.helm.sh/release-namespace":"airflow"},"creationTimestamp":"2022-07-07T01:37:40Z","labels":{"app.kubernetes.io/managed-by":"Helm","chart":"airflow-1.6.0","component":"webserver","heritage":"Helm","release":"airflow","tier":"airflow"},"name":"airflow-webserver","namespace":"airflow","resourceVersion":"11826...","uid":"2ee4946c"},"spec":{"clusterIP":"","clusterIPs":["172....."],"externalTrafficPolicy":"Cluster","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","ports":[{"name":"airflow-ui","nodePort":32...,"port":80,"protocol":"TCP","targetPort":8080}],"selector":{"component":"webserver","release":"airflow","tier":"airflow"},"sessionAffinity":"None","type":"NodePort"},"status":{"loadBalancer":{}}}
meta.helm.sh/release-name: airflow
meta.helm.sh/release-namespace: airflow
creationTimestamp: "2022-06-07T04:15:13Z"
labels:
app.kubernetes.io/managed-by: Helm
chart: airflow-1.6.0
component: webserver
heritage: Helm
release: airflow
tier: airflow
name: airflow-webserver
namespace: airflow
resourceVersion: "12000742"
uid: 9fe3e104-0c00-4cab-b701
spec:
clusterIP: 172.10.....
clusterIPs:
- 172.10.....
externalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: airflow-ui
nodePort: 32...
port: 443
protocol: TCP
targetPort: airflow-ui
selector:
component: webserver
release: airflow
tier: airflow
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
Other front-end app i applied working fine listening https by aws certificate management. I tried to the same thing for airflow but it didnt work.It directs http.
**
❯ curl https://example.com/ ─╯
* Trying IP ADDRESS:443...
* Connected to airflow.example.com (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=example.com
* start date: Jul 6 00:00:00 2022 GMT
* expire date: Aug 4 23:59:59 2023 GMT
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: airflow.example.com
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 FOUND
< Content-Type: text/html; charset=utf-8
< Date: Fri, 08 Jul 2022 00:57:57 GMT
< Location: http://airflow.example.com/home
< Server: nginx/1.19.1
< Set-Cookie: session=7916bd57-21b4-4c39-ac89-c6d56c924e2a.SWJ9WmiwN849ZPoilwH5UWiXhbg; Expires=Sun, 07-Aug-2022 00:57:57 GMT; HttpOnly; Path=/; SameSite=Lax
< X-Frame-Options: DENY
< X-Robots-Tag: noindex, nofollow
< Content-Length: 217
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
**
I would be happy if someone help me out.
getting a little confused, a test directory structure:
/usr/share/nginx/html/public:
index.php - uses rewrite
test.html
When i access example.com/test.html it returns 404, but index.php loads up the application with the rewrite rules all working perfectly.
I really don't understand what is happening when the test.html file exists in the same folder as index.php, so shouldn't try_files $uri pick that up?
Here is the nginx config:
server {
listen 80;
root /usr/share/nginx/html/public;
server_name example.com;
location / {
try_files $uri $uri/ /index.php$is_args$args;
#try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_next_upstream_timeout 10s;
fastcgi_next_upstream_tries 2;
fastcgi_pass localhost:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
internal;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
}
# deny access to apache .htaccess
location ~ /\.ht {
deny all;
}
error_log /usr/share/nginx/logs/error.log;
access_log /usr/share/nginx/logs/access.log;
}
EDIT
Before this part is executed there is a reverse proxy before it which is configured like this:
server {
listen 443 ssl;
ssl_certificate /usr/local/etc/ssl/certs/live/example.com/cert.pem;
ssl_certificate_key /usr/local/etc/ssl/certs/live/example.com/privkey.pem;
ssl_session_timeout 10m;
ssl_verify_client off;
server_name example.com;
error_log /usr/share/nginx/logs/error-api.log;
access_log /usr/share/nginx/logs/access-api.log;
location / {
proxy_next_upstream error timeout http_502;
proxy_next_upstream_tries 10;
proxy_pass http://api;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_session_reuse on;
proxy_set_header Origin https://gofollow.vip;
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin $http_origin;
proxy_set_header Referer $host:$server_port;
proxy_http_version 1.1;
proxy_set_header X-XSS-Protection 1;
proxy_set_header X-Content-Type-Options nosniff;
proxy_set_header Referrer-Policy origin;
proxy_set_header X-Frame-Options DENY;
proxy_buffering on;
proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
}
}
Here is the output of a curl request to the test.html file via the reverse proxy, i have replaced domain with example.com and ip with 111.11.111.111:
* Trying 111.11.111.111:443...
* Connected to example.com (111.11.111.111) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=example.com
* start date: May 20 12:10:16 2022 GMT
* expire date: Aug 18 12:10:15 2022 GMT
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /test.html HTTP/1.1
> Host: example.com
> User-Agent: curl/7.82.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.21.6
< Date: Sat, 21 May 2022 11:00:16 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.4.29
< Cache-Control: no-cache, private
< X-Frame-Options: DENY
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Referrer-Policy: origin
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Access-Control-Expose-Headers: link
<
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta name="robots" content="noindex,nofollow,noarchive" />
<title>An Error Occurred: Not Found</title>
<style>body { background-color: #fff; color: #222; font: 16px/1.5 -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; margin: 0; }
.container { margin: 30px; max-width: 600px; }
h1 { color: #dc3545; font-size: 24px; }
h2 { font-size: 18px; }</style>
</head>
<body>
<div class="container">
<h1>Oops! An Error Occurred</h1>
<h2>The server returned a "404 Not Found".</h2>
<p>
Something is broken. Please let us know what you were doing when this error occurred.
We will fix it as soon as possible. Sorry for any inconvenience caused.
</p>
</div>
</body>
* Connection #0 to host example.com left intact
</html>%
my certificates is valid
there is another webServer in my ec2 and use 443 port.
so I planed use 8443 port rather then 443 port.
but Ive got 400 error
I think the ssl what I typed in my config isn't work well in the url.
ssl absolute path also not working.
would you help me?
this is my config.
NGINX.conf
user nginx;
worker_processes auto;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
error_log /var/log/nginx/error.log;
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
and
/etc/nginx/conf.d/myTest.conf
server {
listen 80;
listen 8443 default ssl;
server_name ;
ssl_certificate star_cyberskyshop_com_NginX_cert.pem;
ssl_certificate_key star_cyberskyshop_com_NginX_nopass_key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/code/img1/public;
Index index.html index.htm index.php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/code/img1/public$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300;
}
}
this is curl log
jangbyeongwoo#jangbyeong-uui-MacBookAir ~ % curl -v https://img1.cyberskyshop.com:8443/sample.jpg
* Trying 52.78.41.24:8443...
* Connected to (52.78.41.24) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=KR; L=Seoul; O=Cybersky Co., Ltd.; OU=Development Team; CN=*.e-skyshop.com
* start date: Mar 26 00:00:00 2021 GMT
* expire date: Apr 26 23:59:59 2022 GMT
* subjectAltName does not match img1.cyberskyshop.com
* SSL: no alternative certificate subject name matches target host name 'img1.cyberskyshop.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'img1.cyberskyshop.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
below picture is i added ssl pem file.
it's CN is present well(*.cyberskyshop.com). but curl log isnt show correct one.
enter image description here
I'm currently trying to setup an WordPress behind a nginx proxy configured as follow:
server {
listen 80 default_server;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
client_max_body_size 200M;
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass http://a2a4d2d0a77264312bfd46b264cba9c8f-wordpress/;
sub_filter_once off;
sub_filter_types *;
sub_filter_last_modified off;
sub_filter '<domain-1>' '$host';
sub_filter '<domain-2>' '$host';
}
}
This proxy is configured to serve two domain and
is password protected (http_auth) and is not (domain-1 is an external uri and domain-2 is internal)
In order to do so I sub_filter the uri called to allow internal to call resource without using http_auth
but WordPress keeps redirecting me (301) to the domain-1 which is the one set as website_URL and homepage inside WordPress config
How to avoid this? How to make WordPress serve two different domains without redirecting the user?
curl https:/// -vv :
* Trying XXX.XXX.XXX.XXX:443...
* Connected to <domain-2> (XXX.XXX.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=<domain-2>
* start date: Jan 4 16:50:48 2022 GMT
* expire date: Apr 4 16:50:47 2022 GMT
* subjectAltName: host "<domain-2>" matched cert's "<domain-2>"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ff559cca60)
> GET / HTTP/2
> Host: <domain-2>
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 301
< content-type: text/html; charset=UTF-8
< date: Wed, 12 Jan 2022 13:07:09 GMT
< location: https://<domain-1>/
< server: Unknow
< x-powered-by: PHP/7.4.27
< x-redirect-by: WordPress
< content-length: 0
<
* Connection #0 to host <domain-2> left intact
the proxy_set_header X-Forwarded-Host $host; was the issue since passing the host to wordpress would induce a redirect;
Just removing the line did the job
current configuration:
server {
listen 80 default_server;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
client_max_body_size 200M;
proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header Proxy "";
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://<id>-wordpress;
sub_filter_once off;
sub_filter_types *;
sub_filter_last_modified off;
sub_filter '<domain-1>' '$host';
sub_filter '<domain-2>' '$host';
}
}